Over 70 Microsoft GitHub Repositories Compromised and Disabled

On June 5, 2026, the self-propagating worm "Miasma" reached Microsoft's open-source infrastructure, and GitHub's automated detection system disabled 73 repositories spanning four official organizations — including Azure and Microsoft — in just 105 seconds. The attackers had planted a trap inside "configuration files" that would automatically execute the moment AI coding agents such as Claude Code, Cursor, or Gemini CLI opened a repository, designed to steal AWS, Azure, and GCP credentials. The incident originated from tokens stolen in a May PyPI package compromise that were never fully revoked, allowing commits to be pushed again from the same account — a "re-

Understanding AI Coding Agents and GitHub as the "Workplace"

To properly understand this matter, one must first grasp what "combination of components" underlies modern software development. Today's applications are not written line by line by developers from scratch. In reality, they are "assembled products" built by sourcing and combining countless open-source components (packages) written by people around the world. The public registries where these components are stored are called npm for JavaScript and PyPI for Python, and it is not uncommon for a single web application to pull in hundreds or even thousands of components in a cascading chain. The world's largest repository storing the blueprints and histories of these components is GitHub, which Microsoft acquired in 2018.

This "assembled product" structure is efficient, but carries a critical weakness. If poison is inserted into a single widely-used component, that poison spreads simultaneously to the tens of thousands of downstream developers and companies that sourced it. This is what is known as a "software supply chain attack," and it is considered the most serious attack category in cybersecurity in recent years. The target is not individual companies, but the very "faucet" that everyone shares and trusts.

And in 2026, a new player entered this picture: "AI coding agents" such as Claude Code (by Anthropic), Cursor (by Anysphere), Gemini CLI (by Google), and GitHub Copilot on VS Code (by Microsoft). These are not mere autocomplete tools — they are autonomous workers that read code, make plans, execute commands, and even run tests on behalf of developers. What is important here is that when these agents begin their work, they load "configuration files" placed in the project folder and operate automatically according to those instructions. Specifically, Claude Code references .claude/settings.json, Cursor references rules under .cursor/rules, and VS Code references files such as .vscode/tasks.json. These were originally intended for convenience features like "run this initialization script at session start" or "execute this build task when the folder is opened."

A concrete example makes this easy to understand. A developer fetches a trusted Microsoft sample repository from GitHub and casually "opens" it in Cursor or VS Code. That single action is enough — a configuration file lurking in the folder pulls the trigger at launch, and a script begins running in the background, all without the developer having clicked a thing. The Miasma attack exploited precisely this new entry point unique to the age of AI agents: the ability to execute automatically the moment a folder is opened.

Incident Overview: 73 Repositories Disappeared in 105 Seconds

The incident came to light on Friday, June 5, 2026. Combining analyses from supply chain security firm StepSecurity and researchers at OpenSourceMalware, Snyk, and Cloudsmith, the attack began when malicious commits were pushed to the Azure/durabletask repository using a contributor account that had been compromised beforehand. Durabletask is the core of the "Durable Task" framework used to handle long-running workflows in Azure Functions and similar services — a component close to the heart of Microsoft's cloud development infrastructure.

Once GitHub's automated fraud detection triggered, events unfolded literally second by second. Multiple reports (The Register, OpenSourceMalware, BankInfoSecurity) consistently state that GitHub disabled a total of 73 repositories in two waves over 105 seconds, from 16:00:50 to 16:02:35 UTC on June 5. In the first wave, 39 repositories were taken down in approximately 38 seconds; in the second wave, 34 more were shut down in just 11 seconds. The disabled repositories spanned four official Microsoft GitHub organizations: Azure, microsoft, Azure-Samples, and MicrosoftDocs. Evidence has also been reported that the attacker attempted to delay detection by backdating commit timestamps to "2020-03-09."

In short, the official repositories of Microsoft — one of the most trusted companies among developers worldwide — were collectively "shut down" by the automated defenses of a platform Microsoft itself owns (GitHub), faster than any human could notice. Ironically, the sheer speed of that automated response was itself a testament to the severity of the attack and the pace of threats that human intervention can no longer keep up with.

How the Attack Worked: The "Configuration File" Becomes an Execute Button

The technical core is detailed in analyses by StepSecurity and Hive Security. The malicious commit hid five files inside the repository. .claude/settings.json for Claude Code and .gemini/settings.json for Gemini CLI contained "SessionStart" hooks designed to fire immediately after the agent launches, before the user takes any action. .cursor/rules/setup.mdc for Cursor embedded prompt injection to make the AI behave maliciously, and .vscode/tasks.json for VS Code was configured with a task that runs automatically on folderOpen. The payload that these triggers invoke is an obfuscated JavaScript file — 4,643,745 bytes (approximately 4.6 megabytes) — placed in .github/setup.js.

When this payload executes, it siphons credentials wholesale from the infected developer's machine. According to StepSecurity, the targets include secrets from major cloud platforms such as AWS, Azure, GCP, and Kubernetes, as well as over 90 developer tool configurations — GitHub and npm tokens, SSH keys, Vault tokens, and even password manager CLI vaults. If any stolen token carries publish permissions, the worm uses it to copy itself into other packages or repositories, automatically hopping from victim to victim. True to its name "Miasma" — drawn from Greek mythology — the infection is designed to spread like a plague.

What sets this attack apart from conventional supply chain attacks is the persistence that Hive Security highlights: it does not disappear when the package is removed. Traditional npm malware hides inside node_modules, executed at install time, so uninstalling the malicious package eliminated the threat. But AI agent configuration files do not live in node_modules — they reside in the project itself, the directory tracked by version control (Git). Even if a developer notices the offending package and removes it, the backdoors left behind in .claude/ or .vscode/ survive intact, and are carried as legitimate changes into other repositories via Git commits. In Hive Security's own words, "the backdoor has already escaped the package manager's control." AI agents are "trusted, highly privileged, persistent, act before the user does, and have access to environment variables including cloud credentials" — making them the perfect foothold for an attacker.

Impact scope: stalled CI/CD, affected developers

The disabling of 73 repositories went far beyond a simple "pages becoming inaccessible." Among those suspended was Azure/functions-action, the official component used to automatically deploy applications to Azure Functions via GitHub Actions. As reported by The Register, the sudden disappearance of this component caused a cascading breakdown of CI/CD (Continuous Integration/Delivery) pipelines across organizations worldwide that had incorporated it. Even development teams that had written no code and had no connection to the attack were caught up in the fallout that morning, finding that their builds were failing and deployments were broken. The affected repositories spanned a wide range of Azure's serverless infrastructure, developer tools, and technical documentation, including the Azure Functions host, Python workers, and microsoft/durabletask-dotnet.

The true harm lies less in the temporary suspension of repositories and more in the developers who may have already ingested the poison. Any developer who pulled the affected repositories and opened them in an AI agent or IDE during the window between when the malicious commits were pushed and when GitHub disabled them may have unknowingly had their credentials stolen. Microsoft spokesperson Ben Hope told TechCrunch, "As part of our investigation, we have notified a limited number of customers who may have retrieved content from the affected repositories." The exact number of affected customers has not been disclosed. Security firms have strongly urged organizations using Azure Functions-related components to immediately rotate (reissue) their cloud and developer tool credentials and to verify the integrity of their repositories.

It should be noted that the majority of the disabled repositories were gradually restored after Microsoft and GitHub completed their initial investigation and removed the malicious code. Ben Hope commented, "We temporarily removed some repositories to investigate the possibility of malicious content. Some have been restored after review, but some may remain offline as work continues."

Cause of the Breach: Why the "Second Time" Happened

OpenSourceMalware's characterization of this incident as a "re-compromise of the Durable Task project" cuts to the heart of the matter. This attack did not come out of nowhere — it was the unfinished business of a first breach that occurred roughly three weeks earlier.

The timeline is as follows. On May 19, 2026, the same compromised account published three malicious versions of Microsoft's durabletask package to PyPI (Python's registry) in rapid succession within just 35 minutes. That was the first breach. As StepSecurity's Ashish Kurmi noted, the tokens leaked in that initial incident had not been fully revoked (invalidated). As a result, the attacker retained the stolen credentials and lay in wait, then in June used those same credentials to push malicious commits to the Azure/durabletask repository on GitHub. In other words, the direct cause was not a sophisticated technique like a zero-day vulnerability, but rather a classically operational pitfall: "the stolen keys were never fully replaced."

This fact also shows why the incident cannot be reduced to a single company's failure — a "Microsoft blunder." XDA-Developers sharply noted that the entire attack chain passed through infrastructure under Microsoft's control: the credential theft occurred on npm (owned by GitHub), the distribution channel for the malicious code was Visual Studio Marketplace and its auto-update mechanism (both Microsoft products), and the repositories ultimately targeted were hosted on GitHub (owned by Microsoft). The outlet described it as "a company that controls the entire software development stack being breached through gaps left in its own products." The convenience of vertical integration comes at a cost: a failure in a single link exposes the structural risk that the damage cascades across every layer. Microsoft initially framed the incident as a violation of GitHub's policies, later revising its explanation to an "internal control issue" under investigation, according to StepSecurity's records.

Lineage of the Miasma Worm: From Shai-Hulud to "AI Agent Resident Type"

Miasma does not emerge from mutation — it has a clear "family tree." The starting point is September 2025 and a self-propagating worm called "Shai-Hulud" that shook the npm ecosystem. Named after the sandworm from *Dune*, this worm automated the compromise and redistribution of malicious packages, reportedly pushing npm attacks from an era of "pranks" into an era of "high damage." From it derived "Mini Shai-Hulud," whose source code the cybercrime group TeamPCP fully published on GitHub on May 12, 2026, calling on anyone to run their own independent campaigns on BreachForums. Multiple research organizations — Snyk, Sonar, and Vorlon among them — have analyzed Miasma as a fork built on top of that publicly released Mini Shai-Hulud.

This lineage speaks clearly to the "direction of evolution" in attack techniques. On May 19, 2026, Mini Shai-Hulud contaminated more than 300 npm packages in the @antv namespace. On June 1, 32 packages and 96 versions in Red Hat's @redhat-cloud-services namespace were backdoored by Miasma — exploiting a trusted, published scope as a "legitimate entry point." Then on June 5, it finally reached Microsoft's Azure infrastructure. According to StepSecurity's tallies, this campaign has so far spread to more than 113 GitHub repositories — including those of TanStack and Mistral AI — and dozens of accounts. Detection evasion has also grown more sophisticated: because Miasma uniquely encrypts its payload with each infection, traditional hash-based indicators of compromise (IOCs) are only valid for a single package version.

The most significant evolution is what Vorlon has characterized as "the first supply-chain attack designed in the wild to persist across AI coding agent sessions." Where earlier worms relied on execution at install time, Mini Shai-Hulud and Miasma have acquired the ability to "reside" inside Claude Code hooks, VS Code tasks, and CI/CD pipelines. A technique Snyk reported as "Phantom Gyp" avoids closely monitored install scripts and instead uses a weaponized binding.gyp to have node-gyp execute attack code — 57 packages were affected. Attackers no longer need a continuously running process. All that is required is for a developer to "open" a project with the tools they trust.

Microsoft and Security Companies' Responses and Coverage

It was not Microsoft or GitHub that first detected the incident, but external research communities such as Cloudsmith and OpenSourceMalware. Ashish Kurmi of StepSecurity clarified the technical sequence of events, stating that the attack "began when a compromised contributor account pushed malicious commits," while Snyk categorized this worm as "a descendant of the Mini Shai-Hulud worm." A cautious view prevails regarding attribution. Mini Shai-Hulud was developed by TeamPCP, but because the developers themselves released the source code, it is difficult to identify who is operating the Miasma variant — a situation akin to "the weapon having been distributed to everyone."

Microsoft's own public communications were, at first, extremely limited. According to The Register, the company did not initially respond promptly to requests for comment, after which spokesperson Ben Hope issued the aforementioned statement. BankInfoSecurity reported that neither Microsoft nor GitHub has offered any detailed official position beyond the factual matter of removing the malicious code and restoring the repositories. The tone common across this coverage reflects the shock of the reality that "even a company operating one of the world's largest development platforms was breached twice by the same attacker within just a few weeks." Computing and The Register both emphasized that this represented a "second" known breach for Microsoft in a short period, and concluded that the very "trust relationships" and "automation features" upon which modern software development depends have themselves been converted into attack surfaces.

Silicon Valley VC Perspective: Supply Chain Security as an Investment Theme

This is where the analysis diverges from what most news sites are willing to explore. This incident should not be read as an isolated scandal, but as the moment when two investment themes that Silicon Valley venture capital has been backing for years — "the explosive proliferation of AI coding agents" and "software supply chain security" — intersected in the worst possible way.

On one side, "AI coding agents" represent one of the most heavily funded spaces in the world right now. Anysphere, the developer of Cursor, was reportedly in discussions to raise over $2 billion at a $50 billion valuation as of April 2026, according to TechCrunch, led by a16z (Andreessen Horowitz) and Thrive Capital, with Nvidia and Battery Ventures also said to be involved. This marks a dramatic surge from its previous valuation of $29.3 billion in November 2025, with the company reportedly on pace to surpass $6 billion in ARR within 2026. VCs are placing astronomical bets on the expectation that AI agents will accelerate development automation in one sweeping motion. But Miasma exploited precisely the gap in that "automated trust." The attack vector was the agent's design feature of unconditionally trusting and auto-executing configuration files. The convenience that VCs are valuing and the risk this incident has exposed are two sides of the same coin.

On the other side, "supply chain security" has grown rapidly as the defensive investment theme at the opposite pole. The leading example, Chainguard, raised $356 million in a Series D co-led by Kleiner Perkins and IVP, reaching a valuation of $3.5 billion. Its cumulative funding stands at $612 million, with ARR targeting a jump from $40 million to over $100 million within fiscal year 2026. Endor Labs, based in Palo Alto, has also raised $70 million in Series A and $93 million in Series B — $188 million cumulative — from a roster including Lightspeed, Coatue, Salesforce Ventures, Dell Technologies Capital, Section 32, and Citi Ventures. Including developer-first supply chain defenses like Socket, VCs have positioned this space as "the next essential infrastructure." a16z directly addressed this theme in its podcast "Securing the Software Supply Chain with LLMs," and the firm's security partner Joel de la Garza warned that while deploying agentic products at scale can meaningfully strengthen defenses, adversaries gain access to the same tools. Miasma's demonstrated sophistication — re-encrypting with each infection and persisting within AI agents — validates this prophecy of "both attackers and defenders wielding AI."

The investment implications this incident reveals from a VC perspective are clear. First, the massive investment in AI coding agents is inseparable from the safe design question of how to verify and constrain what agents "trust to execute" — the companies that solve this become the next winners. Second, supply chain defense must expand its inspection scope from "scanning at install time" to "persistent detection in agent configuration files and CI/CD pipelines," simultaneously creating obsolescence of existing tools and new procurement opportunities. Third, the structure in which vertically integrated players like Microsoft "own every link and therefore every link becomes a vulnerability" actually serves as a tailwind for independent security companies. The very sophistication of attacks drives up the valuations of defensive startups — this is Silicon Valley's cold, hard logic.

Future Developments: When and What Will Be Observed

The most immediate concern in the short term is the "re-recurrence" of attacks. Given that the root cause was not a sophisticated vulnerability but rather "a failure to revoke stolen tokens," if a thorough rotation of related credentials is not completed within the coming weeks, a third breach would not be surprising. Developers and organizations that may have been affected should audit their use of Azure Functions-related components and immediately reissue cloud and developer tool credentials — this is the first line of defense for now.

In the medium term, the fact that the Mini Shai-Hulud source code is already publicly available carries serious weight. With a ready-made "weapon" that anyone can fork now circulating, there is a strong likelihood that variants targeting other prominent namespaces on npm and PyPI, as well as major open-source organizations beyond Microsoft, will continue to emerge throughout the summer and autumn of 2026. On the detection side, against Miasma — where encryption changes with each infection — the focus must shift away from hash matching and toward behavioral detection and continuous monitoring of AI agent configuration files. A key development to watch will be when and how agent platform providers — GitHub/npm (Microsoft), Anthropic, Google, Anysphere, and others — revise their specifications to mandate "user approval" or signature verification for the auto-execution of configuration files.

Regulatory and standardization efforts are also coming into view. The development of Software Bill of Materials (SBOM) frameworks and the strengthening of trusted publishing on registries will likely return to the table in light of the lesson learned from Red Hat's @redhat-cloud-services having its "legitimate publishing pipeline" exploited. From a venture capital perspective, all of these defensive hardening and regulatory compliance efforts are generating new product demand. In the paradox where more sophisticated attacks drive greater investment in defense, Silicon Valley is watching "AI agent security" as the next massive category. The fact that Microsoft lost 73 repositories in 105 seconds has shown the world that this investment thesis is no longer theoretical — it is tangible, real-world damage. And beyond this specific incident, some in Silicon Valley have already begun moving away from GitHub, with a visible trend toward migrating to self-managed GitLab configurations in order to bring the very infrastructure of code management under their own control.